|
|||
Route some ip addresses outside VPN
Hello I’m a new member to this forum but i have used it a lot before i became a member.
I have a router with pfSense but would like to change it in favor for OpenBSD pf . My setup looks like this. ISP **** ROUTER **** AP I run one Openvpn client on the router so that all machines on the wifi AP goes through the vpn. Now comes the problem i would want some of the clients ip addresses to be routed through wan (without VPN) i have tried different routing alternatives but i haven’t find anything that works. Everything else seems to work even the "killswitch". Here is my pf.conf any suggestions on optimizations would also be appreciated thanks in advance !! Code:
ext_if = "em0" # External interface int_if = "em1" # Internal interface vpn_if = "tun0" # Vpn interface table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ 203.0.113.0/24 } set block-policy drop set loginterface $ext_if set skip on lo0 match in all scrub (no-df random-id max-mss 1440) match out on $ext_if inet from ($int_if:network) to any nat-to ($ext_if:0) match out on $vpn_if inet from ($int_if:network) to any nat-to ($vpn_if:0) block in quick on $ext_if from <martians> to any block return out quick on $ext_if from any to <martians> block all pass in on $int_if from $int_if:network to any tag NO_WAN_EGRESS keep state block quick on $ext_if tagged NO_WAN_EGRESS #block return out quick on $ext_if tagged NO_WAN_EGRESS pass out quick inet #pass in on $int_if inet Last edited by ocicat; 12th August 2017 at 07:43 PM. Reason: Please use [code] & [/code] tags when posting file contents. |
|
||||
Hello, and welcome!
Quote:
Since tags are "sticky" you could add another pass rule with a different tag immediately following the first pass rule, such as: Code:
pass in on $int_if from $int_if:network to any tag NO_WAN_EGRESS keep state pass in from address tag WAN_EGRESS_IS_OK For more on tags, see the pf.conf(5) man page and the packet tagging chapter of the PF User's Guide. Last edited by jggimi; 13th August 2017 at 01:51 PM. Reason: typo |
|
|||
Thanks for the tips jggimi i will use your rule.
But that won’t change the VPN issue, i have tried before without the NO_WAN_EGRESS rules to force 1 ip address to be routed through the wan (to use my ISP ip not vpn) but whenever a VPN client is running on the server it changes its default route. I have searched forums and OpenBSD manuals but haven’t really find a solution that works . |
|
|||
Its probably my explanation that is bad, English isn’t my first language.
The VPN client is running on the Router and all machine on the local network that is connected through LAN is getting the VPN providers ip address. If i turn off the VPN client all machines will get my ISP ip address therefore the NO_WAN_EGRESS rule so if the VPN goes down no traffic vill pass What i want is that 1 ore more machines on the LAN to not be routed through VPN (use ISP ip address) and all the others uses VPN . I hope you will understand me now. |
|
||||
Quote:
Is dhcpd involved in your setup? Once the firewall is configured to pass traffic, it could be that if the various client machines were each configured with a specific gateway address, that might be a step closer to what you need. For example, if the router machine is running dhcpd then a specific gateway address for each LAN machine might be configured like this (I am guessing - *not tested*): /etc/dhcpd.conf Code:
option domain-name "mylan.net"; subnet 192.168.0.0 netmask 255.255.255.0 { option domain-name-servers 192.168.0.1; range 192.168.0.4 192.168.0.127; host lanws02 { hardware ethernet 00:00:00:00:00:00; fixed-address 192.168.0.2; option routers 10.0.0.1; } host lanws03 { hardware ethernet 00:00:00:00:00:00; fixed-address 192.168.0.3; option routers 192.168.0.1; } } Last edited by hanzer; 20th August 2017 at 07:25 PM. Reason: added some color |
|
||||
hanzer, I'm not sure DHCP is involved in this specific issue, which is that a set of devices need to be excluded from using the OpenVPN tunnel. But that's if I understand the issue, of course.
|
|
||||
Quote:
The OP might come back with some clarification and more details. Last edited by hanzer; 20th August 2017 at 07:36 PM. Reason: tweak |
|
||||
Disclaimer: I'm not an OpenVPN user.
Last edited by jggimi; 20th August 2017 at 07:55 PM. Reason: typos |
|
|||
I'm sorry I have not answered earlier.
Quote:
and the OpenVPN client is running on the OpenBSD router. I found that you can change some routing in vpn.conf file but it didn't work Code:
# redirect all default traffic via the VPN redirect-gateway def1 # redirect the Intranet network 192.168.1/24 via the VPN route 192.168.1.0 255.255.255.0 # redirect another network to NOT go via the VPN route 10.10.0.0 255.255.255.0 net_gateway # redirect a host using a domainname to NOT go via the VPN route www.google.ca 255.255.255.255 net_gateway but i can't figure out how because its WebGUI and they scatter files around and use XML files thats also one of the reasons i don't want to use pfSense (it does work great) but i like simplicity . This is what i did get from the pf.rules in pfSense Code:
anchor "userrules/*" all block return out quick on igb0 reply-to (igb0 xx.xxx.xx.xx ISP ip) inet all label "USER_RULE: Reject outbound traffic marked NO_WAN_EGRESS" tagged NO_WAN_EGRESS pass in quick on igb1 inet from <NETFLIX> to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination" pass in quick on igb1 route-to (igb0 xx.xxx.xx.xx ISP ip) inet from <NETFLIX> to any flags S/SA keep state label "USER_RULE: NETFLIX ON WAN not VPN" pass in quick on igb1 inet from 192.168.1.0/24 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination" tag NO_WAN_EGRESS pass in quick on igb1 route-to (ovpnc1 10.128.0.1) inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to OVPN mark traffic as NO_WAN_EGR" tag NO_WAN_EGRESS |
Tags |
vpn;pf;client;routing;openbsd |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenVPN No Route To Host | Peter_APIIT | OpenBSD Security | 10 | 18th September 2015 03:05 AM |
Route to enc0 | WeakSauceIII | OpenBSD Security | 11 | 1st June 2015 07:40 PM |
No Route to Host | rtwingfield | FreeBSD Installation and Upgrading | 9 | 25th May 2015 03:05 AM |
route on openbsd | hpabsdbeginner1 | OpenBSD General | 2 | 15th April 2014 07:17 PM |
How to add static route using virtual NIC | bsdplus | Solaris | 1 | 22nd August 2010 02:10 AM |